Dwayne McDaniel, developer advocate at GitGuardian.com, joins host Priyanka Raghavan to talk about the engineering challenges of secrets management. They explore what “secrets” really are in modern systems—far beyond passwords—including API keys, tokens, certificates, and machine identities, and how “secret sprawl” emerges across the SDLC. Drawing on reports from GitGuardian and Verizon, they discuss the growing scale of secret leaks and why credential abuse and phishing remain dominant attack vectors.
They examine common leak points—from code repos and logs to CI/CD pipelines, containers, and SaaS integrations—and how cloud, DevOps, and AI tooling are amplifying risks. Priyanka quizzes Dwayne about recent supply chain attacks from pyPi and trivy ecosystems, highlighting recurring root causes like poor access control, long-lived credentials, and weak security hygiene. Finally, they consider detection, response, and modern solutions—short-lived credentials, secret scanning, and identity-based approaches like OWASP NHIR and SPIFFE/SPIRE—ending with practical advice for engineers to reduce blast radius and design for secure secret lifecycle management.
Brought to you by IEEE Computer Society and IEEE Software magazine.
Show Notes
Related Episodes
- SE Radio 578: Ori Mankali on Secrets Management using Distributed Fragments Cryptography
- SE Radio 311: Armon Dadgar on Secrets Management
- SE Radio 680: Luke Hinds on Privacy and Security of AI Coding Assistants
- SE Radio 658: Tanya Janca on Secure Coding
Other References
- Dwayne McDaniel
- Secrets Security End-To-End – /dev/mtl
- YouTube: Dwayne McDaniel – Solving Secrets Sprawl Takes More Than Sec.: Why Machine Id. Is Everyone’s Problem
- Real-Life Examples of Non-Human Identity Security Breaches and What to Do About Them (Updated Regularly)
- OWASP Non-Human Identities Top 10 – 2025 – OWASP Non-Human Identities Top 10
- How GitGuardian Enables Rapid Response to the LiteLLM Supply Chain Attack
- The Team PCP Snowball Effect: A Quantitative Analysis